As a controller, your school is responsible for the security and processing of all personal data you collect. This responsibility extends to the data you share with any third parties such as your suppliers. If one of your suppliers falls foul of the GDPR and the data you shared with them is compromised, the data protection authority may come knocking on your door. Although this may seem a little onerous, there is clear guidance on how to responsibly protect the data you share and how to legally protect yourselves.
The appointment of a data protection officer is one of the more daunting requirements of the GDPR. The concept of the DPO has been around for a long time and a number of countries in the EU have had the requirement in place for a number of years, most notably, Sweden and Germany. The GDPR now makes this appointment mandatory across the EU regardless of the size of the organisation though there are other criteria that determine whether a DPO is required. Before we get in to the criteria, I'll cut to the chase: schools will almost certainly need a DPO.
The thing about the GDPR is that it's not going away and it's not going to pass by silently on May 25th 2018. It's designed to make everyone sit up and take notice.
The truth is, current data protection action tends to be more reactive than proactive. The GDPR is designed to make the data controller, in this case schools, fully responsible for managing their students', staffs' and parents' data and to actively prove they comply with the regulation.
The GDPR defines personal data as:
"... any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;"
Article 5 Principles relating to processing of personal data
To be clear, the 'data' element of 'personal data' refers to recorded information that is, or is intended, to be stored and processed electronically as part of a filing system.
Consent is not a new concept and has been a core part of data protection & privacy laws for decades. However the GDPR raises the bar considerably on 'conditions for processing' personal data.
Simply put, 'consent' means obtaining clear permission to hold and process a person's data for a specific use. Although it is already required, practices such as 'opt out' have become common-place, e.g. pre-ticked checkboxes to receive marketing material, making it more of an assumption of consent rather than explicit permission. The GDPR is far more explicit about what constitutes consent and aims to entirely remove this kind of deception.
Article 7 GDPR Conditions for consent
You may be wondering why we need new privacy laws. As it stands, data privacy laws vary from country to country within the EU, with little harmonisation. This causes confusion, reduces trust and ultimately undermines the effectiveness of data privacy laws. The GDPR is intended as a 'one-stop-shop' bringing with it a high level of alignment across the European Union. This of course also makes it far easier to administer and enforce.
The following are the key elements of the GDPR. We'll be going into the details of each one of these in future blog posts. If you're not already subscribed, you can get email alerts as soon as we publish new articles.
There are many specialised words and terms associated with the General Data Protection Regulation (GDPR). These are the most common ones.
- Binding Corporate Rules (BCR)
- Corporate rules to allow multinational organisations such as multi national school networks to safely and legally transfer data internally (within the organisation) but across EU borders.
- Freely given, specific, informed and explicit consent by statement or action by the student, parent, staff member or any person signifying agreement to the processing of their personal data. read more about consent
- Data Controller
- This is the school. Determines the purposes, conditions and means of the processing of personal data.
What is GDPR?
The General Data Protection Regulation is the EU’s tough new privacy and data protection law designed to significantly strengthen all EU citizens' rights and security relating to the data you store about them. This includes students, staff and parent's right to legal action against the school or ‘student information system’ supplier and the right to compensation regarding misuse of their personal data.